Random .exes appaearing, related problems

nomad312

Solid State Member
Messages
7
Hey. I was pointed to a thread on this forum a few weeks ago and bookmarked it for future use. I have a problem which I hope you guys could suggest solutions to.

My OS is Win 2k Pro, I use ZoneAlarm as my firewall, McAfee for anti-virus, and have Spybot installed. In the last week or so I've noticed, twice, that my computer has restarted itself when I wasn't around to see it. I wasn't sure how or why, until it happened until tonight, when I saw a message box claiming that something was wrong with services.exe and a restart would be forced in 60 seconds.

Before this, I've been seeing popups from McAfee claiming to have found trojans and/or worms (can't remember if it was one or the other or both) in various .exe files. Several times these were found simply in C:\, other times they were found in internet cache folders. Some did not have any names at all. These popups usually came 2-5 at a time, then stopped and would appear again later. I've run two full virus scans this week, and both turned up empty.

In addition to this, I've seen two strange .exes try to gain internet access: "symmec" and "netbeans." I denied both of these, of course. And finally, I noticed a process called zlclint.exe (as opposed to zlclient.exe, which seems to be the ZoneAlarm program).

So tonight after the forced restart, I started in safe mode and went searching for all of these strange .exes. Starting with zlclint, I found it in system32 as well as in two different internet cache folders. I found several tiny exes in the C:\, with names such as "m", "U", or "m1s." Then I ran a search on all .exes in my internet cache folders, and found a few more... but my mistake there was to only search my own user's folder. Next, I did a search on the whole "documents and settings" folder, and found several more, including both "symmec" and "netbeans." All of these exes I found were deleted. After this, I did a search for any exes created within the last seven days (a trait they all shared), and found nothing besides what I'd personally downloaded.

I was satisfied with that and restarted in normal mode... so far I've not seen anything out of the ordinary. But I thought I would ask here to see if the users of this forum knew what this oddity is, and if there are any additional steps I should take (I am not going to reformat this drive, though).

Thanks in advance.
 
Having multiple .exe programs running that you did not give permission to can be a bad thing, unless you know what they are and what their doing.

here are some things you can do for now..


1) click start / run / type "msconfig" without the quotes/ then enter

2) click the startup tab, now go through there and uncheck the programs you think are suspicious. if you uncheck one that the OS needs to run at startup it will check itself back automatically at bootup.
 
~mr mixx~ said:
Having multiple .exe programs running that you did not give permission to can be a bad thing, unless you know what they are and what their doing.

here are some things you can do for now..


1) click start / run / type "msconfig" without the quotes/ then enter

2) click the startup tab, now go through there and uncheck the programs you think are suspicious. if you uncheck one that the OS needs to run at startup it will check itself back automatically at bootup.
You're the second person who's referred me to "msconfig" now. But I apparently don't have this program, as it tells me it can't be found. Is that an XP only thing? Because I'm using 2k pro.

Also, I'm not sure these things appear at startup. One interesting thing that I discovered yesterday is that there are only problems when I turn off ZoneAlarm. I've had to do that to use a certain program yesterday (I'm certain it's not causing the problems, though... just something else getting through while ZA was down). Something seems to be creating and running these exes, or downloading them, while ZA is down... and I wish I knew what that thing was so I could kill the root of the problem instead.

Finally, I noted that two different worms/bots/etc were caught yesterday in such apps. One name contained "IRCgen," the other I believe was "rahack."
 
My opologies..when most member's create a thread with a certain problem, i assume they are using Windows xp as their OS. I believe if you do a scan on-line with house call, that is if you have a fast connection.

Also you may want to upgrade to windows xp, it will sovle alot of issues. Windows 2k is not as stable of an operating system as people think. although i know there are some who have slipped though the cracks of errors.
 
~mr mixx~ said:
My opologies..when most member's create a thread with a certain problem, i assume they are using Windows xp as their OS.
~mr mixx~ said:
Also you may want to upgrade to windows xp, it will sovle alot of issues. Windows 2k is not as stable of an operating system as people think. although i know there are some who have slipped though the cracks of errors.
If I didn't already have XP on my laptop I might consider it, but I'm holding out with 2k on my desktop for as long as reasonably possible. I did find out that one can run msconfig.exe on a 2k machine, though there's supposed to be at least one process you should never disable in 2k lest you completely screw the OS (anyone know which one(s)?). Anyway, zlclint was among the processes and so I disabled it, but did that actually get rid of it? Seems to me that flipping an "enable" flag doesn't delete the app from wherever it's spawning on the HDD, nor from the registry (which I can only assume it's messed with - I'm not experienced with the registry).

~mr mixx~ said:
I believe if you do a scan on-line with house call, that is if you have a fast connection.
Fast... sort of. Reliable, no. Campus internet by Comcast. I can load pages and send IMs with no problems, but... let me put it this way, it was a miracle that I finally got Spybot's update to finish (and then it found nothing, too).
 
freestyler105 said:
zlclient was part of ZoneAlarm, you should re-enable it.

Post a HijackThis log here:
http://www.download.com/HijackThis/3000-8022_4-10379544.html
zlcliEnt was, yes...
And finally, I noticed a process called zlclint.exe (as opposed to zlclient.exe, which seems to be the ZoneAlarm program).

I've never used HijackThis, but I'll get around to it tonight (I'll have to download it on my laptop and bring it here since this building's crappy LAN can't hold the download link long enough).
 
Back
Top Bottom